Local councils have become one of the favourite targets for ransomware gangs and organised cybercriminals. Which is deeply reassuring when you remember councils handle housing benefits, social care, council tax, homelessness support, child protection records and payroll systems. Humanity really did decide to centralise critical services and then attach them to ageing Windows servers running forgotten software from 2012. Splendid idea.
The reality is this: UK council attacks are no longer “IT problems”. They are operational disasters affecting residents, businesses, vulnerable people and local economies.
How Many UK Councils Have Been Attacked?
The exact number is difficult to confirm because not every incident becomes public, but UK councils face thousands of cyber incidents every year.
According to the UK Government and Local Government Association, major ransomware and severe cyber incidents have affected councils including:
- London Borough of Hackney
- Redcar and Cleveland Borough Council
- Gloucester City Council
- Croydon Council
- Westminster City Council
- South Staffordshire District Council
The National Cyber Security Centre has repeatedly warned that local authorities are among the most targeted sectors in the UK because they:
- hold huge amounts of sensitive data
- often run older infrastructure
- have stretched IT budgets
- depend heavily on third-party suppliers
- cannot tolerate prolonged downtime
The attacks accelerated dramatically after 2020 as ransomware groups shifted toward public-sector targets.
Why Councils Became Prime Targets
Massive Data Holdings
Councils hold:
- National Insurance data
- housing records
- social care files
- safeguarding reports
- payroll data
- electoral records
- benefit information
To criminals, this is commercially valuable and highly sensitive.
Weak Legacy Infrastructure
Many councils still rely on:
- unsupported applications
- old Windows environments
- on-premise servers
- fragmented systems
- outdated procurement cycles
Attackers actively scan for these weaknesses.
Limited Cyber Security Budgets
Unlike banks or large enterprises, councils often cannot afford:
- 24/7 SOC monitoring
- enterprise MDR services
- modern identity protection
- extensive staff training
- dedicated incident response teams
The Biggest UK Council Cyber Attacks
The Hackney Council Ransomware Attack
London Borough of Hackney suffered one of the most devastating UK local authority cyber attacks in October 2020.
The attack was linked to the PYSA ransomware gang.
What Happened?
Hackers encrypted critical systems affecting:
- housing services
- council tax systems
- social care
- benefits systems
- planning systems
- payroll functions
Some services were affected for more than a year.
The council refused to pay the ransom.
How Did The Attackers Get In?
Hackney never publicly disclosed the exact entry method, but investigations and recovery reports strongly suggest:
- compromised credentials
- insufficient segmentation
- ransomware lateral movement
- legacy infrastructure weaknesses
This is common in ransomware attacks where attackers quietly move across networks before triggering encryption.
How Much Did It Cost?
Recovery costs exceeded £12 million.
That figure included:
- emergency recovery teams
- infrastructure rebuilding
- overtime staffing
- consultancy fees
- replacement systems
- legal and compliance work
- operational disruption
How Long Did Recovery Take?
Hackney was still dealing with the effects years later. Some systems reportedly took over 12 months to fully stabilise.
The attack disrupted services affecting around 250,000 residents.
The Redcar and Cleveland Cyber Attack
Redcar and Cleveland Borough Council was hit by ransomware in February 2020.
This became one of the UK’s most expensive local government cyber incidents.
What Happened?
The attack disrupted:
- bin collections
- planning systems
- social services
- schools
- housing systems
- financial operations
The attackers demanded around £1 million in ransom.
The council refused to pay.
How Did Attackers Get In?
The precise technical route was never fully published publicly, but ransomware attacks of this type commonly involve:
- phishing emails
- exposed Remote Desktop Protocol (RDP)
- stolen credentials
- unpatched vulnerabilities
How Much Did It Cost?
Initial estimates exceeded £16 million before later reviews reduced estimates closer to £8.7m to £11.3m depending on calculation methods and grants received.
For a local authority, this is catastrophic financially.
How Long Did Recovery Take?
Recovery continued for many months, with some operational impacts extending beyond a year.
The incident also forced:
- tax increases
- budget restructuring
- delayed projects
- emergency funding discussions
This is the hidden side of ransomware most SMEs ignore. The attack bill is usually far bigger than the ransom itself.
Gloucester City Council Attack
Gloucester City Council suffered a serious ransomware attack in December 2021.
How Did Attackers Get In?
The council later confirmed the attack began through a spear-phishing email.
That single email ultimately led to:
- malware deployment
- data exfiltration
- encrypted servers
- service outages
One employee clicking the wrong attachment can trigger millions in damage. Civilisation balanced delicately upon Karen from Accounts opening “invoice_december_final_FINAL.zip”.
Impact
Services were disrupted from days to months depending on the system involved.
Around 240,000 files were reportedly transferred externally during the breach.
Cost
Published recovery figures included:
- £728k+ revenue costs
- £141k+ replacement infrastructure
- £272k+ cloud migration costs
Total known costs exceeded £1 million.
Recovery Lessons
Gloucester eventually:
- rebuilt systems
- migrated heavily toward cloud services
- improved monitoring
- deployed SIEM tooling
- strengthened incident response planning
Ironically, many organisations only modernise after disaster. Humans will ignore cybersecurity budgets for five years then sign emergency contracts at triple the price after ransomware detonates payroll.
How Are Attackers Getting Into Councils?
Phishing Emails
Still the biggest entry route.
Attackers impersonate:
- suppliers
- internal staff
- Microsoft alerts
- invoices
- HMRC
- shared documents
One successful click can install malware or steal credentials.
Weak Passwords And Stolen Credentials
Many attacks begin with:
- password reuse
- weak admin passwords
- compromised VPN accounts
- leaked credentials from previous breaches
Attackers buy these credentials cheaply on dark web markets.
Unpatched Systems
Older systems are a huge problem in local government.
Attackers actively search for:
- outdated VPN appliances
- old Exchange servers
- vulnerable firewalls
- unsupported Windows systems
Once inside, they escalate privileges rapidly.
Lack Of Multi-Factor Authentication
Many older council environments lacked MFA across:
- remote access
- admin accounts
That dramatically increased compromise risk.
Supply Chain Weaknesses
Councils increasingly depend on:
- outsourced IT providers
- software suppliers
- cloud services
- managed services
A weak supplier can become the attack route.
The Local Government Association specifically warned about supplier attacks becoming a “soft underbelly”.
What Did These Attacks Actually Break?
This is where SMEs should pay attention.
The damage was not merely “computers stopped working”.
Real-world effects included:
- delayed housing benefit payments
- social care disruption
- inaccessible safeguarding records
- planning system failures
- payroll problems
- homelessness support delays
- communication failures
Hackney residents reportedly experienced delayed care support and benefit issues for months.
Cyber attacks become human crises extremely quickly.
What Can UK SMEs Learn From These Attacks?
Downtime Is The Real Killer
Most SMEs think:
“We’re too small to be targeted.”
Attackers do not care.
SMEs are often easier targets than councils.
The real cost is usually:
- operational downtime
- staff disruption
- lost customers
- reputational damage
- regulatory exposure
- recovery consultancy
- lost sales
Not merely the ransom.
Backups Alone Are Not Enough
Many organisations think backups solve ransomware.
They do not.
Problems include:
- backups connected to infected systems
- slow restoration
- corrupted backups
- poor testing
- missing cloud backups
- stolen data before encryption
Modern ransomware often involves data theft before systems are encrypted.
Recovery Can Take Months
Many SMEs assume:
“We’ll be back in a few days.”
Reality:
- rebuilding infrastructure takes time
- forensic investigations delay recovery
- insurance requirements slow restoration
- supplier dependencies create bottlenecks
Even councils with government support took months or years.
Staff Training Matters Enormously
One phishing email caused catastrophic disruption in Gloucester.
Staff awareness training remains one of the highest ROI security investments available.
Cyber Security Is Now Business Continuity
Cyber security is no longer just:
- antivirus
- firewalls
- passwords
It is operational resilience.
If systems fail:
- can staff still work?
- can invoices still be issued?
- can customers still contact you?
- can payroll run?
- can you recover fast enough?
That is now the real question.
What Would Have Prevented Many Of These Attacks?
Multi-Factor Authentication
MFA blocks huge numbers of credential-based attacks.
Especially on:
- Microsoft 365
- VPNs
- remote desktops
- admin accounts
Proper Network Segmentation
Many ransomware attacks spread because networks are too flat.
Segmentation limits lateral movement.
Modern Email Filtering
Advanced phishing filtering and attachment sandboxing would stop many attacks before users ever see them.
Regular Patch Management
Unpatched systems remain one of the largest attack surfaces.
Fast patching is essential.
Endpoint Detection And Response (EDR)
Modern EDR tools can often detect:
- ransomware behaviour
- privilege escalation
- suspicious lateral movement
- malicious PowerShell activity
before encryption fully deploys.
Offline Immutable Backups
Backups must be:
- isolated
- tested
- immutable
- recoverable quickly
Otherwise they become useless during ransomware incidents.
Security Awareness Training
Employees remain the front line.
Training should include:
- phishing simulation
- invoice fraud awareness
- password hygiene
- MFA education
- suspicious attachment handling
Incident Response Planning
Most organisations fail during the first 24 hours because nobody knows:
- who makes decisions
- who contacts insurers
- who speaks publicly
- how systems are isolated
- who manages customers
Councils repeatedly stated business continuity planning was essential during recovery.
The Bigger Problem Facing UK Councils
Many councils still operate under severe financial pressure.
That means:
- ageing infrastructure
- delayed upgrades
- staffing shortages
- fragmented suppliers
- technical debt
Unfortunately, attackers understand this perfectly.
Cybercriminals increasingly view local authorities as:
- high-pressure targets
- politically sensitive
- operationally vulnerable
- rich in sensitive data
The same logic applies to SMEs.
Attackers do not necessarily target whoever is biggest.
They target whoever is easiest.
Final Thoughts
The biggest misconception in UK business is:
“Cyber attacks happen to other people.”
Hackney, Redcar and Gloucester all believed they had reasonable controls.
Then:
- systems failed
- services stopped
- recovery bills exploded
- disruption lasted months or years
For SMEs, the lesson is brutally simple:
A serious cyber attack is rarely just an IT expense.
It becomes:
- a cash-flow problem
- a staffing problem
- a customer trust problem
- a legal problem
- an operational survival problem
The organisations recovering fastest today are usually the ones that invested before disaster struck, not after. Strange concept, preventative maintenance. Humans consistently treat cybersecurity like home insurance while simultaneously leaving the front door open and taping the alarm code to the window.
